Wrong Address: When Scam Victims Retaliate Against Targeted Companies
By TorchStone Senior Analyst, Ben West
According to FBI estimates, fraudulent online activity scammed victims out of an estimated $12.5 billion dollars in 2023. In addition to the financial losses associated with scams, there is also a risk of physical violence. TorchStone has noted several recent examples involving threats against legitimate companies and individuals due to fraudulent activity by scammers impersonating them.
Impersonating a well-known business or individual lends scammers an immediate benefit of credibility to their victims to gain their trust. However, when the victim finds out about the scam, they may seek retribution against the impersonated company or individual, causing physical damage or personal harm. Monitoring threats and being prepared to respond to them are key to protecting personnel and assets.
Impersonation Scams Target Individuals and Companies
In 2023, the Federal Trade Commission (FTC) received 330,000 reports of business impersonation scams. The most impersonated companies were Best Buy/Geek Squad, Amazon, PayPal, and Microsoft—Microsoft impersonations were the most lucrative for scammers, who stole at least $60 million ripping off the Microsoft brand. Of course, scams also impersonate highly recognizable people, ranging from CEOs to celebrities and journalists. In 2023, the FTC received thousands of complaints concerning scams impersonating entrepreneur Elon Musk—some of which employed AI and deepfake technology to fabricate messages from Musk in what appeared to be scattershot approaches to tricking victims.
Other impersonation scams are more specific and targeted. In February 2024, an 81-year-old widow from Tennessee lost $30,000 in a scam impersonating country music star Luke Bryan. In the same month, a Chicago woman lost over $80,000 in a scam impersonating Chicago Fire actor Taylor Kinney. One scammer targeted a woman after she posted praise to the Facebook account she thought belonged to NBC News correspondent Jacob Soboroff. After moving the conversation from Facebook to a private WhatsApp chat, the scammer encouraged the woman to let her bills go that month and transfer $17,000 in Bitcoin and gift cards. In that case, the woman eventually did get to meet with Soboroff and tell her story to help others avoid such scams. However, not all impersonation scams end so positively.
When Victims Come to Collect
TorchStone is aware of at least two incidents in which impersonation scams led to threats and physical damage to the persons and companies that scammers were impersonating. Out of respect to the targets, we will not name the impacted individuals or companies. Several years ago, a man showed up outside an office building in California claiming he had an employment contract with an entertainment company. It quickly became apparent that the man, who had traveled from out-of-state, was the victim of a scam that impersonated executives with the company. When he was informed of the scam, he became angry and broke a window in the building.
We are also aware of a high-profile individual receiving a threatening letter that accused him of extorting tens of thousands of dollars from the author in what appears to have been an impersonation scam.
There are other examples of companies and their employees getting caught in the middle of a scam and being attacked despite being innocent. In March 2024, an Ohio man fatally shot an Uber driver whom scammers had hailed to his house to collect money they had demanded. The scammers had impersonated local law enforcement claiming that the man’s family member was incarcerated and required a bail bond, but the scam eventually collapsed into a flat-out ransom demand. While the Uber driver was in no way connected to, or even aware of the crime taking place, the man targeted in the scam assumed she was involved and shot her when she arrived.
Scams typically start with small asks (similar to the “little hook” in intelligence practice) such as personalized appeals to donate to a charity or purchase memberships to a fan club. Once scammers have identified victims who are willing to pay, they will focus more effort on them, potentially segueing into an online romance scam, taking advantage of victims’ admiration of the celebrity and appealing to their emotions.
While falling for a scam almost always ends up poorly for the victim, it can also bring harm to the individuals or companies impersonated by the scammers. Victims of scams might not realize that they are being scammed until they reach out to the subject being impersonated, or they might just feel the need to vent their frustrations on the subject being impersonated. Even though the individuals and companies impersonated in the scam have nothing to do with the criminal activity, they can still find themselves caught up in it, and could become a target of convenience for frustrated, financially ruined victims.
Monitoring and De-Escalation
The first step to protecting your company and executives against retribution for impersonation scams is to be aware of who is being impersonated. Fortunately, the Better Business Bureau has a ScamTracker service that allows users to search through reported fraudulent activity for specific business names.
However, most scams are never formally reported, and attempted scams are even less likely to be reported. A comprehensive threat intelligence monitoring service would be able to identify and track impersonation scams involving social media accounts, in addition to other threatening mentions of companies or individuals. The TorchStone GSOC regularly discovers and reports impersonation scam attempts utilizing our clients’ brands and names on social media.
Once a corporate security team is tracking impersonation scams targeting its company or executives, it can provide guidance to the broader security team and receptionists who are most likely to come into first contact with potential scam victims. As noted in the NBC News example above, not every scam victim poses a threat to the company or individuals who were impersonated. But if an employee is the first to inform a person that they were the victim of an impersonation scam in which they possibly lost thousands of dollars, an emotional response is possible.
Alerting the security team or even calling 911 is a good first option. After all, there was a crime committed, and the earlier it is reported, the better. It also helps to have trained support nearby in case the situation does escalate.
Being prepared to provide support to the victim of an imposter scam is one way to help de-escalate a tense situation. There are multiple services immediately available to scam victims, ranging from fraud reporting guidance and mechanisms from the FTC, fraud response checklists from the National Center for Victims of Crime, support groups endorsed by the Association of Certified Fraud Examiners, to the Internet Crime Complaint Center. Giving the victim a productive way to react to a crime will reduce the likelihood that they take out their frustration on the company or the individuals impersonated by the criminals.